I have a customer with a Fortinet Firewall that is having stability issues with Asterisk and SIP endpoints (PAP2T) outside his network. The first issue I see is that Asterisk sees all phones as the IP address of the Fortinet. Since the parameter "localnet" defines the local network and that address falls in that range, how will Asterisk treat the endpoints? I have "nat=yes" for all phones and "canreinvite=no" as well. The "externip" parameter is set to the outside public IP address. Still we have calls with one way audio. This is the first setup with a firewall that rewrites the IP address of the endpoint so I do not know how that is affecting the packet flow. On my other servers I can always see the public IP of the endpoint. -- Telecomunicaciones Abiertas de M?xico S.A. de C.V. Carlos Ch?vez Prats Director de Tecnolog?a +52-55-91169161 ext 2001 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20080411/e4611c61/attachment.pgp
Fortinets have a SIP session-helper. Sometime this causes issues,
try turning it off. To do this you need to enable telnet on the
forinet management interface. Telnet into the cli and type the following
config system session-helper
edit 12
set port 5066
end
Instead of turning this off or taking it out I am changing the port
so it will not affect 5060 anymore. This way you can put it back if
this doesn't work for you.
John Bittner
Simlab.net
-----Original Message-----
I have a customer with a Fortinet Firewall that is having stability
issues with Asterisk and SIP endpoints (PAP2T) outside his network.
The first issue I see is that Asterisk sees all phones as the IP
address of the Fortinet. Since the parameter "localnet" defines the
local network and that address falls in that range, how will Asterisk
treat the endpoints? I have "nat=yes" for all phones and
"canreinvite=no" as well. The "externip" parameter is set
to the
outside public IP address. Still we have calls with one way audio.
This is the first setup with a firewall that rewrites the IP address of
the endpoint so I do not know how that is affecting the packet flow. On
my other servers I can always see the public IP of the endpoint.
--
Telecomunicaciones Abiertas de M?xico S.A. de C.V.
Carlos Ch?vez Prats
Director de Tecnolog?a
+52-55-91169161 ext 2001
Peder @ NetworkOblivion
2008-Apr-12 03:37 UTC
[asterisk-users] NAT issue with Fortinet Firewall
FYI, I have probably 10 Fortinet units with multiple SIP phones behind each and all of the phones work flawlessly. As long as the Fortinet is ver 3.0 or newer, it does NAT so that you don't need to have nat=yes on *. No pinholes or static nat or anything, it just works. As a side note, I probably have 20+ Cisco PIX's with the same setup and they work flawlessly too. I've seen a lot of people saying "fixup sip" breaks phones, but not that I have seen. I just let the PIX do nat and it works fine. Carlos Chavez wrote:> I have a customer with a Fortinet Firewall that is having stability > issues with Asterisk and SIP endpoints (PAP2T) outside his network. > > The first issue I see is that Asterisk sees all phones as the IP > address of the Fortinet. Since the parameter "localnet" defines the > local network and that address falls in that range, how will Asterisk > treat the endpoints? I have "nat=yes" for all phones and > "canreinvite=no" as well. The "externip" parameter is set to the > outside public IP address. Still we have calls with one way audio. > > This is the first setup with a firewall that rewrites the IP address of > the endpoint so I do not know how that is affecting the packet flow. On > my other servers I can always see the public IP of the endpoint. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
Hello, I have a system in a motel that needs call billing data output through its serial port so the existing motel management software can collect the call billing info. Is there any easy way to redirect the data that goes into the cdr_custom/Master.csv file to go out the serial port ? The system is Asterisk 1.4.18.1 on Centos 5.1 Thanks, Col ----- Original Message ----- From: "Peder @ NetworkOblivion" <peder at networkoblivion.com> To: "Asterisk Users Mailing List - Non-Commercial Discussion" <asterisk-users at lists.digium.com> Sent: Saturday, April 12, 2008 1:37 PM Subject: Re: [asterisk-users] NAT issue with Fortinet Firewall> FYI, I have probably 10 Fortinet units with multiple SIP phones behind > each and all of the phones work flawlessly. As long as the Fortinet is > ver 3.0 or newer, it does NAT so that you don't need to have nat=yes on > *. No pinholes or static nat or anything, it just works. > > As a side note, I probably have 20+ Cisco PIX's with the same setup and > they work flawlessly too. I've seen a lot of people saying "fixup sip" > breaks phones, but not that I have seen. I just let the PIX do nat and > it works fine. > > Carlos Chavez wrote: > > I have a customer with a Fortinet Firewall that is having stability > > issues with Asterisk and SIP endpoints (PAP2T) outside his network. > > > > The first issue I see is that Asterisk sees all phones as the IP > > address of the Fortinet. Since the parameter "localnet" defines the > > local network and that address falls in that range, how will Asterisk > > treat the endpoints? I have "nat=yes" for all phones and > > "canreinvite=no" as well. The "externip" parameter is set to the > > outside public IP address. Still we have calls with one way audio. > > > > This is the first setup with a firewall that rewrites the IP address of > > the endpoint so I do not know how that is affecting the packet flow. On > > my other servers I can always see the public IP of the endpoint. > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > > -- > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.519 / Virus Database: 269.22.12/1374 - Release Date:4/11/2008 4:59 PM> >
Hello again, I can copy the file out the serial port by doing this: rename Master.csv out1.csv cat out1.csv > /dev/ttyS0 If I build a script to do this every 10 or 20 seconds via cron I think it will work fine, unless someone has a better way. Cheers, Col ----- Original Message ----- From: "Col Ferguson" <asterisk at coltect.no-ip.com> To: "Asterisk Users Mailing List - Non-Commercial Discussion" <asterisk-users at lists.digium.com> Sent: Saturday, April 12, 2008 5:12 PM Subject: [asterisk-users] cdr_custom outout to serial port> Hello, > I have a system in a motel that needs call billing data output through its > serial port so the existing motel management software can collect the call > billing info. > Is there any easy way to redirect the data that goes into the > cdr_custom/Master.csv file to go out the serial port ? > > The system is Asterisk 1.4.18.1 on Centos 5.1 > > Thanks, > Col > > > > ----- Original Message ----- > From: "Peder @ NetworkOblivion" <peder at networkoblivion.com> > To: "Asterisk Users Mailing List - Non-Commercial Discussion" > <asterisk-users at lists.digium.com> > Sent: Saturday, April 12, 2008 1:37 PM > Subject: Re: [asterisk-users] NAT issue with Fortinet Firewall > > > > FYI, I have probably 10 Fortinet units with multiple SIP phones behind > > each and all of the phones work flawlessly. As long as the Fortinet is > > ver 3.0 or newer, it does NAT so that you don't need to have nat=yes on > > *. No pinholes or static nat or anything, it just works. > > > > As a side note, I probably have 20+ Cisco PIX's with the same setup and > > they work flawlessly too. I've seen a lot of people saying "fixup sip" > > breaks phones, but not that I have seen. I just let the PIX do nat and > > it works fine. > > > > Carlos Chavez wrote: > > > I have a customer with a Fortinet Firewall that is having stability > > > issues with Asterisk and SIP endpoints (PAP2T) outside his network. > > > > > > The first issue I see is that Asterisk sees all phones as the IP > > > address of the Fortinet. Since the parameter "localnet" defines the > > > local network and that address falls in that range, how will Asterisk > > > treat the endpoints? I have "nat=yes" for all phones and > > > "canreinvite=no" as well. The "externip" parameter is set to the > > > outside public IP address. Still we have calls with one way audio. > > > > > > This is the first setup with a firewall that rewrites the IP addressof> > > the endpoint so I do not know how that is affecting the packet flow.On> > > my other servers I can always see the public IP of the endpoint. > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > > > asterisk-users mailing list > > > To UNSUBSCRIBE or update options visit: > > > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > _______________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > > > -- > > No virus found in this incoming message. > > Checked by AVG. > > Version: 7.5.519 / Virus Database: 269.22.12/1374 - Release Date: > 4/11/2008 4:59 PM > > > > > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > > -- > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.519 / Virus Database: 269.22.12/1374 - Release Date:4/11/2008 4:59 PM> >
Thanks for the idea Zoa.
I've got the cronjob working every minute now using
if [ -f /var/log/asterisk/cdr-custom/Master.csv ]
then
cd /var/log/asterisk/cdr-custom
mv -f Master.csv out1.csv
cat out1.csv > /dev/ttyS0
fi
Using tail -f would give me the realtime output, but a few questions as a
real linux novice;
What would be the best way to start this up ?
How would I monitor it to make sure it hasn't died, and how to restart ?
Cheers,
Col
----- Original Message -----
From: "Zoa" <zoachien at securax.org>
To: "Asterisk Users Mailing List - Non-Commercial Discussion"
<asterisk-users at lists.digium.com>
Sent: Saturday, April 12, 2008 9:36 PM
Subject: Re: [asterisk-users] cdr_custom outout to serial port
>
> How about a tail -f on Master.csv ?
> Then you will have everything realtime and you will not need a cronjob.
>
> Zoa
>
>
> Col Ferguson wrote:
> > Hello again,
> > I can copy the file out the serial port by doing this:
> >
> > rename Master.csv out1.csv
> > cat out1.csv > /dev/ttyS0
> >
> > If I build a script to do this every 10 or 20 seconds via cron I think
it> > will work fine, unless someone has a better way.
> >
> > Cheers,
> > Col
> >
> >
> > ----- Original Message -----
> > From: "Col Ferguson" <asterisk at coltect.no-ip.com>
> > To: "Asterisk Users Mailing List - Non-Commercial
Discussion"
> > <asterisk-users at lists.digium.com>
> > Sent: Saturday, April 12, 2008 5:12 PM
> > Subject: [asterisk-users] cdr_custom outout to serial port
> >
> >
> >
> >> Hello,
> >> I have a system in a motel that needs call billing data output
through
its> >> serial port so the existing motel management software can collect
the
call> >> billing info.
> >> Is there any easy way to redirect the data that goes into the
> >> cdr_custom/Master.csv file to go out the serial port ?
> >>
> >> The system is Asterisk 1.4.18.1 on Centos 5.1
> >>
> >> Thanks,
> >> Col
> >>
> >>
> >>
> >> ----- Original Message -----
> >> From: "Peder @ NetworkOblivion" <peder at
networkoblivion.com>
> >> To: "Asterisk Users Mailing List - Non-Commercial
Discussion"
> >> <asterisk-users at lists.digium.com>
> >> Sent: Saturday, April 12, 2008 1:37 PM
> >> Subject: Re: [asterisk-users] NAT issue with Fortinet Firewall
> >>
> >>
> >>
> >>> FYI, I have probably 10 Fortinet units with multiple SIP
phones behind
> >>> each and all of the phones work flawlessly. As long as the
Fortinet
is> >>> ver 3.0 or newer, it does NAT so that you don't need to
have nat=yes
on> >>> *. No pinholes or static nat or anything, it just works.
> >>>
> >>> As a side note, I probably have 20+ Cisco PIX's with the
same setup
and> >>> they work flawlessly too. I've seen a lot of people
saying "fixup
sip"> >>> breaks phones, but not that I have seen. I just let the PIX
do nat
and> >>> it works fine.
> >>>
> >>> Carlos Chavez wrote:
> >>>
> >>>> I have a customer with a Fortinet Firewall that is having
stability
> >>>> issues with Asterisk and SIP endpoints (PAP2T) outside his
network.
> >>>>
> >>>> The first issue I see is that Asterisk sees all phones as
the IP
> >>>> address of the Fortinet. Since the parameter
"localnet" defines the
> >>>> local network and that address falls in that range, how
will Asterisk
> >>>> treat the endpoints? I have "nat=yes" for all
phones and
> >>>> "canreinvite=no" as well. The
"externip" parameter is set to the
> >>>> outside public IP address. Still we have calls with one
way audio.
> >>>>
> >>>> This is the first setup with a firewall that rewrites the
IP address
> >>>>
> > of
> >
> >>>> the endpoint so I do not know how that is affecting the
packet flow.
> >>>>
> > On
> >
> >>>> my other servers I can always see the public IP of the
endpoint.
> >>>>
> >>>>
> >>>>
> >>>>
>
>>
------------------------------------------------------------------------
> >>
> >>>> _______________________________________________
> >>>> -- Bandwidth and Colocation Provided by
http://www.api-digital.com --
> >>>>
> >>>> asterisk-users mailing list
> >>>> To UNSUBSCRIBE or update options visit:
> >>>> http://lists.digium.com/mailman/listinfo/asterisk-users
> >>>>
> >>> _______________________________________________
> >>> -- Bandwidth and Colocation Provided by
http://www.api-digital.com --
> >>>
> >>> asterisk-users mailing list
> >>> To UNSUBSCRIBE or update options visit:
> >>> http://lists.digium.com/mailman/listinfo/asterisk-users
> >>>
> >>>
> >>> --
> >>> No virus found in this incoming message.
> >>> Checked by AVG.
> >>> Version: 7.5.519 / Virus Database: 269.22.12/1374 - Release
Date:
> >>>
> >> 4/11/2008 4:59 PM
> >>
> >>>
> >> _______________________________________________
> >> -- Bandwidth and Colocation Provided by http://www.api-digital.com
--
> >>
> >> asterisk-users mailing list
> >> To UNSUBSCRIBE or update options visit:
> >> http://lists.digium.com/mailman/listinfo/asterisk-users
> >>
> >>
> >> --
> >> No virus found in this incoming message.
> >> Checked by AVG.
> >> Version: 7.5.519 / Virus Database: 269.22.12/1374 - Release Date:
> >>
> > 4/11/2008 4:59 PM
> >
> >>
> >
> >
> > _______________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >
> > asterisk-users mailing list
> > To UNSUBSCRIBE or update options visit:
> > http://lists.digium.com/mailman/listinfo/asterisk-users
> >
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
> --
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.519 / Virus Database: 269.22.12/1374 - Release Date:
4/11/2008 4:59 PM>
>